PM19056: DC ATTRIBUTE ENCODINGS AS IA5STRING AND PRINTABLESTRING

Subscribe

APAR status

Closed as program error.

Error description

Error Message: While using the Java Security CertPath component
to validate a certificate chain within which the Subject DN
contains a "DC" attribute, the customer experiences a
"certificate chaining error".
.
Stack Trace: N/A
.

Local fix

Problem summary

Some time ago, an error was discovered within the Java Security
PKCS component where it would incorrectly DER encode the "DC"
attribute of a distinguished name as a PrintableString. When
this error was discovered, a fix was made to PKCS so that it
would encode the "DC" attribute properly as an IA5String (refer
to RFC 2253). Unfortunately, one or more IBM/Tivoli customers
had already generated certificates which contained distinguished
names with DC attributes encoded as PrintableString's. While
trying to validate these older certificates with the Java
Security CertPath component (and with the fix to PKCS above),
these customers experienced a "certificate chaining error"
because the updated PKCS component was trying to match a DC
attribute encoded as an IA5String to one encoded as a
PrintableString.

Problem conclusion

This defect will be fixed in:
1.4.2 SR13 FP8
5.0.0 SR12
6.0.0 SR9
.
A fix has been made to the Java Security PKCS component which
enables it to tolerate a "DC" attribute encoded as a
PrintableString when it is comparing the attribute value pairs
of a distinguished name.
.
To obtain the fix:
Install build 20100918 or later